I am a little confused on the contextual differences between permission and privilege from computer security perspective.Though I have read the definition of both the terms but it will be nice if someone can give me some practical example e.g.

6 Answers
6

In the context of rights, permission implies consent given to any
individual or group to perform an action. Privilege is a permission
given to an individual or group. Privileges are used to distinguish
between different granted permissions (including no permission.)

A privilege is a permission to perform an action.

Also from the above english.se link

A permission is a property of an object, such as a file. It says which
agents are permitted to use the object, and what they are permitted to
do (read it, modify it, etc.).

A privilege is a property of an agent, such as a user. It lets the
agent do things that are not ordinarily allowed. For example, there
are privileges which allow an agent to access an object that it does
not have permission to access, and privileges which allow an agent to
perform maintenance functions such as restart the computer.

So in your example the privilege is having the permission to write the file 'x'

They are normally pretty interchangeable, though I've heard some systems where the permission is the thing that an action demands and the privilege is what the user has. So a user might be granted a privilege that corresponds to the permission being demanded, but that would really be semantics of some systems and isn't always the case.

Either way, unless you have a more specific situation where it's causing you problems, it's normally more of a semantic difference.

That distinction is common in the unix world, where we tend to say that a process has privileges (what they can or cannot do) and files have permissions (what can or cannot be done to them).
–
GillesAug 27 '13 at 17:01

@Gilles - hmm, perhaps that was what I was thinking of. I don't work in the Unix world much, but I did take a Unix admin course in college and I remember it from around that time. Hmm, or it may have been RBAC.
–
AJ HendersonAug 27 '13 at 17:37

yes, they are subtly different (but only if you are fully modelling Role Based Access Control (RBAC)):

consider an ER model for role based authorisation:

an application has functions

functions may be performed by roles

identities are given roles

individuals are provisioned with identities

bringing that together a little bit, we can say:
+ an individual (who has an online identity), performing a role is given permission to perform functions in applications

So:

the permission is the ER link between the role, function and application, i.e. permissions are given to roles

the privilege is the ER link between an individual and the application, i.e. privileges are given to people.

HOWEVER, many designers don't bother separating individual and role or don't separate function and application and so the difference between privilege and permission is missed. In my experience, you often see this when someone says "use AD groups to store RBAC" - this is a serious anti-pattern.

In a world where there are requirements to report on toxic combinations and granular permissioning is more common place then it the data model for storing RBAC is very much more important.

In conversation, as many answers have said, the two are typically interchangeable.

Some of the possible contextual differences between the two as used by various computer environments are inherent in the connotations of the two words.

A permission is asked for, a privilege is granted. When you think about the conversational use of the two words, the "proactive" use of a permission (the first action typically taken by any subject in a sentence within a context) is to ask for it; the "reactive" use (the second action taken in response to the first) is to grant it. By contrast, the proactive use of a privilege is to grant it, while the reactive use is to exercise it.

Permissions are situation-based; privileges are time-based. Again, the connotation of the two terms is that permission is something that must be requested and granted each and every time you perform the action, and whether it is granted can then be based on the circumstances of the situation. A privilege, however, is in regard to some specific action that the subject knows they are allowed to do, because they have been informed once that they may do this thing, and then the subject proceeds to do so without specifically asking, until they are told they can no longer do this thing.

So typically, as used in IT security, privileges determine permissions. A user, though their account, is granted the privilege of reading a particular type of record (or a particular record) by the administrator of a system; this is typically done once, or as needed over time. The application, acting on behalf of the user who has authenticated themselves using the account, then asks for permission to perform an action each and every time it must do so, and the system grants this permission in each situation after examining the privileges of the user.

I'm curious, what exactly do you think is the contextual difference between the two?

I have seen (and used) both terms interchangeably. I have never seen anyone making a distinction between the two terms before. They both refer to whether someone has the rights to perform a particular action.

Actually I was reading article on "Least privilege security" where privilege is a must broader term that is given to a user group like administrator group. A User group can have multiple permission.
–
Ali AhmadAug 27 '13 at 11:49

@AliAhmad I guess that article is using the term privilege in place of the more common term "role" as in role-based access control and the like.
–
Terry ChiaAug 27 '13 at 11:51

Privilege is almost always used in the context of system actions and abilities of the user in regards to non-object specific tasks and frequently refer to interactions with the system or application itself.
* Add/remove user accounts.
* Add/remove hardware devices.
* Install applications.

Permissions are (generally) used in the context of filesystems (or objects that are referred to as part of the filesystem such as the /dev directory in *nix). You will set up a list of permissions on an object (file) that determines what specific people can do to that object.

It is generally the combination of privileges and permissions that determines someone's overall access to a system. If I have permission to access a specific file on a Windows system, for example, but I do not have the privileges to log on to this system locally or through the network, then I can't actually access it, even though the file's ACL (Access Control List) says that I can.